Medical device hijack

Last updated

A medical device hijack (also called medjack) is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

Contents

Medical device hijacking received additional attention in 2017. This was both a function of an increase in identified attacks globally and research released early in the year. [12] [13] [14] [15] [16] These attacks endanger patients by allowing hackers to alter the functionality of critical devices such as implants, exposing a patient's medical history, and potentially granting access to the prescription infrastructure of many institutions for illicit activities. [17] MEDJACK.3 seems to have additional sophistication and is designed to not reveal itself as it searches for older, more vulnerable operating systems only found embedded within medical devices. Further, it has the ability to hide from sandboxes and other defense tools until it is in a safe (non-VM) environment.

There was considerable discussion and debate on this topic at the RSA 2017 event during a special session on MEDJACK.3. Debate ensued between various medical device suppliers, hospital executives in the audience and some of the vendors over ownership of the financial responsibility to remediate the massive installed base of vulnerable medical device equipment. [18] Further, notwithstanding this discussion, FDA guidance, while well intended, may not go far enough to remediate the problem. Mandatory legislation as part of new national cyber security policy may be required to address the threat of medical device hijacking, other sophisticated attacker tools that are used in hospitals, and the new variants of ransomware which seem targeted to hospitals.

Overview

In such a cyberattack the attacker places malware within the networks through a variety of methods (malware-laden website, targeted email, infected USB stick, socially engineered access, etc.) and then the malware propagates within the network. Most of the time existing cyber defenses clear the attacker tools from standard serves and IT workstations (IT endpoints) but the cyber defense software cannot access the embedded processors within medical devices. Most of the embedded operating systems within medical devices are running on Microsoft Windows 7 and Windows XP. The security in these operating systems is no longer supported. So they are relatively easy targets in which to establish attacker tools. Inside of these medical devices, the cyber attacker now finds safe harbor in which to establish a backdoor (command and control). Since medical devices are FDA certified, hospital and cybersecurity team personnel cannot access the internal software without perhaps incurring legal liability, impacting the operation of the device or violating the certification. Given this open access, once the medical devices are penetrated, the attacker is free to move laterally to discover targeted resources such as patient data, which is then quietly identified and exfiltrated.

Organized crime targets healthcare networks in order to access and steal the patient records.

Because of the vast breadth of interconnection between medical devices and hospital networks, there are security concerns because medical equipment are not usually considered for routine discovery scans within the context of IT. The IP addresses connecting these devices to the hospital network might lack the necessary software patching and this exposes both the network and devices to a plethora of vulnerabilities. [19]

Impacted devices

Virtually any medical device can be impacted by this attack. In one of the earliest documented examples testing identified malware tools in a blood gas analyzer, magnetic resonance imaging (MRI) system, computerized tomogram (CT) scan, and x-ray machines. In 2016 case studies became available that showed attacker presence also in the centralized PACS imaging systems which are vital and important to hospital operations. In August 2011, representatives from IBM demonstrated how an infected USB device can be used to identify the serial numbers of devices within a close range and facilitate fatal dosage injections to patients with an insulin pump in the annual BlackHat conference. [20]

Impacted institutions

This attack primarily centers on the largest 6,000 hospitals on a global basis. Healthcare data has the highest value of any stolen identity data, and given the weakness in the security infrastructure within the hospitals, this creates an accessible and highly valuable target for cyber thieves. Besides hospitals, this can impact large physician practices such as accountable care organizations (ACOs) and Independent Physician Associations (IPAs), skilled nursing facilities (SNFs) both for acute care and long-term care, surgical centers and diagnostic laboratories.

Instances

There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks, [21] [22] [23] [24] Windows XP exploits, [25] [26] viruses, [27] [28] [29] and data breaches of sensitive data stored on hospital servers. [30] [22] [31] [32]

Community Health Systems, June 2014

In an official filing to the United States Securities and Exchange Commission, Community Health Systems declared that their network of 206 hospitals in 28 states were targets of a cyber-attack between April and June 2014. [33] The breached data included sensitive personal information of 4.5 million patients including social security numbers. The FBI determined that the attacks were facilitated by a group in China [34] and issued a broad warning to the industry, advising companies to strengthen their network systems and follow legal protocols to help the FBI restraint future attacks. [35]

Medtronic, March 2019

In 2019 the FDA submitted an official warning concerning security vulnerabilities in devices produced by Medtronic ranging from Insulin pumps to various models of cardiac implants. [36] The agency concluded that CareLink, the primary mechanism used for software updates in addition to monitoring patients and transferring data during implantation and follow-up visits, did not possess a satisfactory security protocol to prevent potential hackers from gaining access to these devices. The FDA recommended that health care providers restrict software access to established facilities while unifying the digital infrastructure in order to maintain full control throughout the process. [36]

Scope

Various informal assessments have estimated that medical device hijacking currently impacts a majority of the hospitals worldwide and remains undetected in the bulk of them. The technologies necessary to detect medical device hijacking, and the lateral movement of attackers from command and control within the targeted medical devices, are not installed in the great majority of hospitals as of February 2017. A statistic would note that in a hospital with 500 beds, there are roughly fifteen medical devices (usually internet of things (IoT) connected) per bed. [37] That is in addition to centralized administration systems, the hospital diagnostic labs which utilized medical devices, EMR/EHR systems and CT/MRI/X-ray centers within the hospital.

Detection and remediation

These attacks are very hard to detect and even harder to remediate. Deception technology (the evolution and automation of honeypot or honey-grid networks) can trap or lure the attackers as they move laterally within the networks. The medical devices typically must have all of their software reloaded by the manufacturer. The hospital security staff is not equipped nor able to access the internals of these FDA approved devices. They can become reinfected very quickly as it only takes one medical device to potentially re-infect the rest in the hospital.

Organized crime targets healthcare networks in order to access and steal the patient records. This poses a significant risk to patient data such as credit card information and other protected health information. Because of the vast breadth of interconnection between medical devices and hospital networks, there are security concerns because medical equipment are not usually considered for routine discovery scans within the context of IT (cybersecurity). The IP addresses connecting these devices to the hospital network might lack the necessary software patching and this exposes both the network and devices to a plethora of vulnerabilities. [38]

Countermeasures

On 28 December 2016 the US Food and Drug Administration released its recommendations that are not legally enforceable for how medical device manufacturers should maintain the security of Internet-connected devices. [39] [40] The United States Government Accountability Office studied the issue and concluded that the FDA must become more proactive in minimizing security flaws by guiding manufacturers with specific design recommendations instead of exclusively focusing on protecting the networks that are utilized to collect and transfer data between medical devices. [41] The following table provided in the report [41] highlights the design aspects of medical implants and how they affect the overall security of the device in focus.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive an attacker, detect them and then defeat them.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. "Medical Devices Used as Pivot Point in Hospital Attacks: Report - SecurityWeek.Com".
  2. Ragan, Steve (4 June 2015). "Attackers targeting medical devices to bypass hospital security".
  3. "Medical data, cybercriminals' holy grail, now espionage target". Reuters. 5 June 2017.
  4. "'MEDJACK' tactic allows cyber criminals to enter healthcare networks undetected". 4 June 2015.
  5. "MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks".
  6. "Hospitals Can Protect Against Data Breach Using Deception Technologies – Electronic Health Reporter".
  7. "Encrypting medical records is vital for patient security – Third Certainty".
  8. "Medjacking: The newest healthcare risk?". 24 September 2015.
  9. "Epidemic: Researchers Find Thousands of Medical Systems Exposed to Hackers". 29 September 2015.
  10. "Medical Devices a Target for Online Hackers – JD Supra".
  11. Hacking Healthcare IT in 2016
  12. "Medical Devices Are the Next Security Nightmare – WIRED". Wired.
  13. "4 cybersecurity threats every hospital C-suite admin should be familiar with in 2017".
  14. "MEDJACK.3 Poses Advanced Threat To Hospital Devices". 16 February 2017.
  15. "The lurker in your MRI machine wants money, not your life – Archer Security Group". 16 February 2017.
  16. "San Mateo cyber security firm uncovers malware on medical devices". 16 February 2017.
  17. ProQuest   1799648673
  18. "Connected medical devices spark debate at RSA Conference session".
  19. Martinez, Jon B. (2018). "Medical Device Security in the IoT Age". 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). pp. 128–134. doi:10.1109/UEMCON.2018.8796531. ISBN   978-1-5386-7693-6 . Retrieved 2024-01-31.
  20. Hei X., Du X. (2013) Conclusion and Future Directions. In: Security for Wireless Implantable Medical Devices. SpringerBriefs in Computer Science. Springer, New York, NY
  21. Leetaru, Kalev. "Hacking Hospitals And Holding Hostages: Cybersecurity In 2016". Forbes. Retrieved 29 December 2016.
  22. 1 2 "Cyber-Angriffe: Krankenhäuser rücken ins Visier der Hacker". Wirtschafts Woche. 7 December 2016. Retrieved 29 December 2016.
  23. "Hospitals keep getting attacked by ransomware — Here's why". Business Insider. Retrieved 29 December 2016.
  24. "MedStar Hospitals Recovering After 'Ransomware' Hack". NBC News. 31 March 2016. Retrieved 29 December 2016.
  25. Pauli, Darren. "US hospitals hacked with ancient exploits". The Register. Retrieved 29 December 2016.
  26. Pauli, Darren. "Zombie OS lurches through Royal Melbourne Hospital spreading virus". The Register. Retrieved 29 December 2016.
  27. "Grimsby hospital computer attack: 'No ransom has been demanded'". Grimsby Telegraph. 31 October 2016. Retrieved 29 December 2016.[ permanent dead link ]
  28. "Hacked Lincolnshire hospital computer systems 'back up'". BBC News. 2 November 2016. Retrieved 29 December 2016.
  29. "Lincolnshire operations cancelled after network attack". BBC News. 31 October 2016. Retrieved 29 December 2016.
  30. "Legion cyber-attack: Next dump is sansad.nic.in, say hackers". The Indian Express. 12 December 2016. Retrieved 29 December 2016.
  31. "Former New Hampshire Psychiatric Hospital Patient Accused Of Data Breach". CBS Boston. 27 December 2016. Retrieved 29 December 2016.
  32. "Texas Hospital hacked, affects nearly 30,000 patient records". Healthcare IT News. 4 November 2016. Retrieved 29 December 2016.
  33. "Form 8-K". www.sec.gov. Retrieved 2019-09-15.
  34. "Community Health says data stolen in cyber attack from China". Reuters. 2014-08-18. Retrieved 2019-09-15.
  35. "Advice to Healthcare Providers on Ransomware from the Head of the FBI". The National Law Review. Retrieved 2019-09-15.
  36. 1 2 Health, Center for Devices and Radiological (2019-03-21). "Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication". FDA.
  37. "The Healthcare CIO Factbook". 13 January 2021.
  38. Martinez, Jon B. (2018). "Medical Device Security in the IoT Age". 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). pp. 128–134. doi:10.1109/UEMCON.2018.8796531. ISBN   978-1-5386-7693-6 . Retrieved 2024-01-31.
  39. Becker, Rachel (27 December 2016). "New cybersecurity guidelines for medical devices tackle evolving threats". The Verge. Retrieved 29 December 2016.
  40. "Postmarket Management of Cybersecurity in Medical Devices" (PDF). Food and Drug Administration . 28 December 2016. Retrieved 29 December 2016.
  41. 1 2 Medical Devices : FDA Should Expand Its Consideration of Information Security for Certain Types of Devices : Report to Congressional Requesters. Washington, D.C: United States Government Accountability Office; 2012.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.